Security concersn with BASE [was: Is this use of BASE kosher? ]

Daniel W. Connolly (
Fri, 4 Aug 95 18:14:09 EDT

In message <>, Lou Montulli writes:
>In article <> Owen Rees <>
>> The options seem to be:
>> 1) BASE is only for resolving relative URLs, it may be a URI for a
>> different resource.
>> 2) BASE must be a URI for this document

First, (2) is phrased strangely. What does it mean for a something to
"be a URI for a document"? A document is a sequence of characters.

It makes more sense to say that a document is a representation of
a resource named by a URI.

And when some document X contains <base href="uri-x"> then yes, that's
an assertion that document X is a representation of the resource
identified by uri-x.

It's also a request to cite this resource using uri-x. Now...
should that request be honored? I think so.

>2 can not be used because it opens up serious security concerns.
>You can't get a document from one source and then inform the
>user that it is from someplace completely different.

How is this different from an HTTP URI: header? Yes, folks can
lie. Unless you've got authentication, you pretty much have to trust
folks -- and realize that you'd better not rely too heavily on
unathenticated information.

> Since
>users rely on the URI to tell them where the document comes from
>this usage of BASE will lead users to believe things that are
>not true.

Any user who thinks that the base URI is where the document came
from is just mistaken, if you ask me.

Displaying the URL given in a <base> tag, rather than the one used to
fetch the document will lead the user to believe that the author wants
the document cited by that <Base> address, which is the truth, no?

In general, users shouldn't bet too much on info they get from the
net. In particular, if a document comes from one host, but it's
<base> tag gives a different host, what's the harm?